Re: Carnivore Update - Washington Post 11/21/00

From: Vadim Antonov

Date: Thu Nov 23 22:20:15 2000

> > of course carnivore has no problem decrypting SSL.
>
> Source, please.
I do not think that carnivore is doing that, but SSL is not resistant to
the man-in-the-middle attack. The problem here is in the lack of any
useful certificate validation support. How many users actually check that
site certificate indeed belongs to whoever is identified as the site owner
on the Web pages?
(Plus, it depends on the security of certification autority's private
keys, their public parts being non-revokable, because they are bundled
with browser software. I have a little doubt that it is all too easy for
law enforcement to obtain these keys if they need to. Interests of my
privacy definitely do not match interests of RSA Cert. Auth., Inc, a
commercial entity. Of course, i have no proof that this happened, but I
have no reason to trust that it didn't happen, too.)
--vadim